Spacer
Spacer
BGSU
HomeAcademicsAdmissionsThe ArtsAthleticsLibrariesOffices
Spacer
Spacer Spacer
Top Nav   Office of the Chief Information Officer
Cross Hatch

Office of the Chief Information Officer

Welcome

About Us

ITS - Information Technology Services

IMS - Instructional Media Services

Student Tech

Office of Web Development

BG@100

Projects and Strategic Initiatives

Quick Reference

Newsworthy

Feedback

Office of the CIO Policies

Fraud Notice

CIO-Alerts and CIO-Inform email & PGP Public Keys
No Banner
Spacer Connect April 2006 - Security Article Spacer
 

Portable Risk and Portable Security

by Kent Strickland

Portable Risk

 

Information is invaluable.  If it were not valuable, individuals would not demand its privacy, businesses could run without it, laws would not protect it and bad guys would not try to steal it.  Can you put a dollar value on it?  Is your resolve greater than that of the bad guys?  Can you be trusted with it?

 

Identity theft is not an inconvenience for victims-it’s a nightmare.

 

  • In December, a laptop computer was stolen from the home of a Medco Health Solutions employee.  The computer contained unencrypted Social Security numbers of 4,300 Ohio workers and 300 dependents, along with details of prescribed medications.  The employee was doing a routine audit of prescription benefits from home.
  • Also in December, backup disks and tapes containing health care information for 365,000 patients in Washington and Oregon were stolen from the car at the home of a Providence Home Services employee.  The unencrypted backup data was taken home as part of the company’s disaster recovery procedure to maintain copies of critical data off site.  In February, one employee was fired and three others resigned as a result of the incident.
  • In January, Ameriprise Financial had to notify 158,000 customers and 68,000 financial advisers that their Social Security numbers and account numbers were exposed as the result of the theft of a laptop computer from a locked employee’s car in a public parking lot.  The thief smashed the car’s window to steal the laptop.
  • Ernst & Young was auditing Sun Microsystems for compliance with the Sarbanes-Oxley Act.  A laptop computer containing unencrypted personal information of employees, including the Social Security number of Sun’s CEO, was stolen from the locked car of one of the auditors in February.  That same month, Ernst & Young also lost four laptop computers from an office building conference room.  Cameras observed-but could not prevent –the theft as auditors left for lunch and automatic time-delayed locks on the doors had not yet engaged within a couple of minutes of their leaving.
  • Unencrypted Social Security numbers and information on stock holdings for 9,000 McAfee employees was on a CD that disappeared from the pocket of an airline seat in December, left there by an employee of Deloitte & Touche, McAfee’s auditors.  McAfee is now revising its corporate policies regarding the handling of information in transit or storage with third parties.
  • Social Security numbers for 93,000 students collected over a nine-year period were on a laptop stolen from the home of a Metropolitan State College employee who was using the data for a master’s thesis and to write a grant proposal.  The Denver-based College is investigating whether or not the student employee had permission to use the data and is reviewing laptop policies related to unencrypted information.
  • In the last six months of 2004-based on a survey of 900 taxi drivers in several major cities-it was estimated the 63,135 mobile phones (an average of three per taxi), 5,838 PDAs and 4,973 laptops were left in London taxi cabs.  During the same period, it was estimated that 85,619 mobile phones, 21,460 PDAs and 4,425 laptops were left in Chicago cabs.

 

When media or laptops travel, they leave known security environments and traverse continuously variable security environments, networks and circumstances.  Assessing risk is impractical in these situations and “feeling” secure could actually be a weakness.  It is best, for the sake of those whose information is being transported, to assume that the media or laptops could be lost or stolen. 

 

 

Portable Security

 

Ohio’s Breach Notification Act (HB 104) went into effect in February, requiring notification to Ohio residents in the event of an exposure of unencrypted or unredacted information that creates a material risk of fraud against the individuals.  

 

In February, it was announced that a laptop computer containing insurance claims for 4,000 patients of the University of Texas M.D. Anderson Cancer Center was stolen from the home of a PricewaterhouseCoopers (PWC) auditor who was reviewing claims.  The difference in this case is that the computer used “sophisticated encryption software.”

 

If the data on the laptop was encrypted, why then was the incident made public and why did PWC notify the individuals?

 

  • Some states do not have breach notification laws, and those that do might differ.  Maybe the PWC laptop contained data for residents of a state where no legal exception was made for encrypted data.  Seeking legal advice and working with police in this situation could take time-maybe that is why the November incident was not reported until February.
  • Maybe PWC is an ethical company and responded with integrity-or perhaps there was unidentified risk.

 

It’s important to remember…

 

Information is not necessarily safe just because it is encrypted.  There are different levels of encryption and some algorithms are not as strong as others.

 

  • Encryption techniques usually require a password for encryption or decryption.  If the password is weak, it could easily be attacked to reveal the hidden data.
  • Even if you do not store sensitive information on a computer, it could still be at risk if you process it on the computer.   For example, let’s say that you have sensitive data in a file on a CD.  You load the CD into your laptop computer, then copy it to your hard drive and use Microsoft Word to make some changes.  You burn the updated file to a new CD, delete the copy from your hard drive and store the CDs separately in a safe place.  Your laptop computer is subsequently stolen.  No problem, right?  Not so fast!
  • Data in deleted files is recoverable from a hard drive using special tools.  As editing changes are made, Microsoft Word creates temporary files on the hard drive so that you can “undo” mistakes or changes, or recover your changes in case the computer crashes while you were editing.  Information in those deleted temporary files is recoverable.  You are quite the multi-tasker, so you have more applications running on your computer than can fit in the computer’s memory, so the system swaps some of the least used memory to the hard drive to make it look like your computer has more memory than it really has.  Information temporarily written in memory swap files is recoverable. 

 

Maybe the data on the PricewaterhouseCoopers laptop was encrypted-and maybe not.

 

Protecting sensitive information, through encryption and other techniques, requires discipline.  Well thought out policies, procedures and tools can help.  Loss or theft?  You’ll have that-but it does not have to be a nightmare for countless victims.

 

Continue to watch for information, advice and implementation plans for encrypting sensitive data.

 

-Kent Strickland

Information Security Officer, ITS

  
Spacer
 
Spacer Spacer
Spacer
Spacer
Spacer
Spacer
Bowling Green State University  |  Bowling Green, OH 43403-0001  |  Contact Us  |  Campus Map  |  Site Map  |  Accessibility Policy (PDF Reader)
Spacer